Secure Computing with Windows

WASHINGTON (Rixstep) -- It's got to the point where it's no fun anymore, declares Brian Krebs at Security Fix at the Washington Post. When such an unequivocal statement comes from a computer security journalist at one of the most renowned publications in the world, you can know it's not a trivial matter - it's serious.

Brian uses all sorts of computers and operating systems because he has to - he covers the gamut of Internet and computer security. He's long been a happy camper with an Apple MacBook Pro running Mac OS X but he has to run Windows too - just to see how bad it really is.

Reports have been streaming into him for months from clueless companies blaming their banks for their own ineptitude. These stories tell a consistent tale of Microsoft Windows being compromised and leaving users up the creek - often with tens or hundreds of thousands of dollars out the window.

You can only stand idly by watching the rout for so long - at the end of the day you have to react. Brian's reacted - he's been publishing tutorials on how Windows lusers can still get their online banking and other critical tasks completed by preempting Microsoft and using an Ubuntu Live CD instead.

Also known as 'Live CDs', these are generally free Linux-based operating systems that one can download and burn to a CD-ROM or DVD. The beauty of Live CDs is that they can be used to turn a Windows based PC into a provisional Linux computer. Programs on a Live CD are loaded into system memory, and any changes - such as browsing history or other activity - are completely wiped away after the machine is shut down.

More importantly, malware built to steal data from Windows-based systems simply won't work when the user is booting from Live CD. Even if the Windows installation on the underlying hard drive is completely corrupted with a keystroke-logging virus or trojan, the malware can't capture the victim's banking credentials if that user only transmits his user name and password after booting up into one of these Live CDs.

Brian continued the same day (12 October) with a new article cutely entitled 'Avoid Windows Malware: Bank on a Live CD' where he pointed out he was hardly the only authority recommending such measures.

An investigative series I've been writing about organized cyber crime gangs stealing millions of dollars from small to mid-sized businesses has generated more than a few responses from business owners who were concerned about how best to protect themselves from this type of fraud.

I do not offer this recommendation lightly (and at the end of this column you'll find a link to another column wherein I explain an easy-to-use alternative). But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way.

But regardless of the methods used by the bank or the crooks, all of the attacks shared a single, undeniable common denominator: they succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer.

Yes it's Windows and always Windows and has never been anything but Windows but consider if you will how difficult it is for any journalist to come out and say so. Considering negative comments about anything - especially a megabully like Microsoft - necessitates long meetings in the editor's office. The editor has to guarantee the owners that nothing bad will come of it all.

When Microsoft have such incredible clout they can get people sacked (such as Dan Geer) with a single phone call, you have to be careful.

And yet these articles are published at the Washington Post. The high profile news source that exposed Watergate. And that means not only that Brian made up his mind but that he convinced his editor who in turn convinced the bosses and owners - and remembering it's Microsoft they're dealing with, that's not insignificant.

BBC News continue to cower to the Microsoft lobbyists, pretend nothing exists outside the world of Windows - and the BBC are supposed to be the best and most honest journalists in the world.

The very fact the Washington Post can come out in so many words and tell people to not use Windows is about as damning as you can get. It also means the market has finally reached a tipping point - despite the considerable pressure Redmond will put on them, the articles stand. Because they're the truth and because there is no alternative.

Brian published another article in the series today. E-Banking on a Locked Down PC, Part II. Here he deals with the Windows defenders who just won't give up the idea the system will work. He takes on all the arguments one by one and dashes them to the ground.

Limited user acccount? Yeah right.

A number of today's more advanced threats - including the Zeus Trojan, a sophisticated family of malware most commonly associated with these attacks against small businesses - will just as happily run on a limited user account as an administrator account in Windows.

And then he fells the big boom on the Windows security cottage industry parasites.

Since this series began, I have been flooded with pitches from companies providing all manner of security products and services aimed at securing the online banking site from the user's end. But in my opinion, most of these approaches come up short, erecting yet another hoop for the user (and the bad guys) to jump through.

From where I sit, any solution that fails to assume that a customer's system is already completely owned by the bad guys doesn't have a prayer of outsmarting today's threats. I find it strange that so few security companies are talking about what appears to be a clear demand for better back-end fraud detection technologies by many of the nation's banks (more on this topic in a future column).

It's also interesting to see that there are still people in the financial or security industry touting security tokens as the answer to this type of fraud. In break-in after break-in, the perpetrators have shown their ability to slip past virtually all of the customer-dependent security barriers erected by online banks (eg passwords, secret questions, and token-generated one-time codes).

But what's perhaps most amazing of all is how so many people will cling to such a hopeless third rate system anyway.

Read Brian's articles at the links below. Tell your Windows luser friends about the articles. Get them to read, absorb, and wake the F up.

This will serve as an informal report for the desktop computer you submitted for forensic analysis.

1) The original drive was imaged to DVD media to preserve the original state of the machine. This was not a full forensic image (sector-by-sector) but rather a more condensed image of active sectors (far less data to archive). Based upon discussions with you, this was deemed more appropriate. ** You will receive the Forensic DVD system image.

2) The original drive was imaged again to an external drive to be used for scanning and analysis.

3) Subsequent analysis was performed on the copied drive only. The original drive remains exactly as it was when we received the desktop computer. ** You will receive your system back exactly as provided to PacStates for analysis.

5) Using a Windows-based scanning tool, the drive showed no infections.However, several directory trees and files could not be accessed indicating that the tools were not able to complete a 100% analysis.Normally this isn't considered unusual, but given the nature and ingenuity of the suspected attack, we felt that further research was warranted.

6) We built a Linux-based system to repeat selected scans and analysis on the theory that Linux would bypass possible Windows-based protocols to protect and/or hide files. Selected scans were repeated with the copied drive using the Linux system.

8) A search for Trojan.Zbot-5918 returns the following information:a) Trojan.Zbot has variations: Trojan-Spy:W32/ZBot.HS Trojan-Spy:W32/Zbot.KZ (and others)b) Attempts to steal online banking login-information and other sensitive data from the infected computer.c) ZBot variants target online banking. Banks in multiple countries have been targeted. Various languages have been used in spam pushing the installation.d) ZBot variants use modular components (configuration and commands) downloaded from the Internet after installation. The components are encrypted and hinder full analysis as the ZBot requires an online connection and all components to determine full functionality.e) Browser activity is monitored for multiple '.fi', '.ch', '.de', '.nl' and '.com' bank URL addresses. Logging online banking information is the primary payload of Trojan-Spy:W32/Zbot variants.f) ZBot.HS attempts to hide using stealth techniques.g) Attack vector variations are likely, but the Trojan.Zbot appears to commonly infect through spam, using social engineering to trick the user into clicking a link, which downloads the trojan and results in the infection.h) More information:http://www.f-secure.com/v-descs/trojan-spy_w32_zbot_hs.shtml

9) CONCLUSION: It is highly likely that this computer's infection resulted in unauthorized bank account access since that is its observed behavior.

10) RECOMMENDATION: Completely erase and reinstall all software on this desktop computer, including the 0/S and business applications. Use the DVD image to retrieve any existing data files that are required - do not boot up this computer while connected to your company's network.

*****

That's it. I can produce a more complete and detailed report, but I don't think GenLabs will benefit from further analysis or detail beyond the above conclusion and recommendation.